×

In wake of Equifax hack, SEC chief rips companies for not realizing 'we are constantly under attack'

  • SEC Chairman Jay Clayton called Tuesday for better disclosure from companies whose computer systems have been hacked.
  • Clayton said he couldn't speak on the Equifax matter specifically. The company's CEO, Richard Smith, retired Tuesday.

Securities and Exchange Commission Chairman Jay Clayton called Tuesday for better disclosure from companies whose computer systems have been hacked.

Speaking as the Equifax hack controversy continues to swirl, Clayton said the current level of information coming from companies is inadequate and posing dangers on multiple fronts.

"Companies should be providing better disclosure about their risk profile. Companies should be providing sooner disclosure about intrusions that may affect shareholder investment decisions," the regulatory chief said during testimony before the Senate Committee on Banking, Housing and Urban Affairs. "Across our markets there should be better disclosure as to the cyber-risks we face."

Clayton said he couldn't speak on the Equifax matter specifically. But he said disclosure is a general problem that impacts both consumers and investors.

"We expect people to constantly assess," he said. "When they have notice of a cyberbreach we expect people to constantly assess whether that breach is material to investors, and when they determine that it is, make appropriate disclosure promptly."

Jay Clayton, chairman of U.S. Securities and Exchange Commission
Zach Gibson | Bloomberg | Getty Images
Jay Clayton, chairman of U.S. Securities and Exchange Commission

Equifax, a consumer credit rating company, recently revealed that the credit records of some 143 million individuals were exposed. Disclosure of the incident wasn't made public for weeks after it was discovered. The company's CEO, Richard Smith, suddenly retired Tuesday.

The SEC finds itself in the middle of a similar situation, though the scale is less dramatic. The agency's EDGAR system was broken into in 2016, and Clayton was notified only in August, some three months after he was confirmed. Corporate regulatory filings are placed in the EDGAR system, so a breach could give hackers nonpublic information that they can use to trade on.

Clayton said he "immediately" initiated an investigation and decided that "disclosure was necessary" because he determined it was "a serious matter." He said the investigation is ongoing to determine who knew about the breach and why it wasn't disclosed.

However, he warned that hacks remain a threat.

"We must be vigilant and we must be better," he said, later adding, "We are under constant attack from nefarious actors."

Clayton said he does not believe the EDGAR hack exposed personal information or poses a "systemic risk."

WATCH:  Equifax CEO retires following an epic data breach